Mobile Threat Booms: Revisit Your BYOD Policies

With the amount of new malware that targets mobile devices growing exponentially, if you have not set down rules for employees who use their own smart phones for company business, you should do so now.

Network security firm PandaLabs has reported that in the second quarter of 2015, it saw an average of 230,000 new types of malware every day and a total 21 million new threats. Those figures are up an astounding 43% from the second quarter of 2014.

Worse, the report noted that a large number of the new types are variants or mutations of previously known malware, and cyber-criminals are multiplying the types of malware to evade detection by antivirus software and apps.

Attacks on mobile devices also increased, says the report, with not only an increase in malware for the Android mobile platform, but more and more ransomware being developed for the iPhone platform.

Don’t think it’s a threat? In 2014, for the first time, Android devices were infected at the same rate as computers running the Microsoft Windows operating system.

It’s estimated in the “Motive Security Labs Malware Report”, by Alcatel-Lucent, that some 16 million devices are infected by malware.

With mobile device malware infections at an all-time high, your IT decision-makers may need to re-evaluate your company’s bring-your-own-device (BYOD) policies and the way security standards address personal phones, tablets and other Internet-connected machines in the workplace.

Mobile device malware will hit small and midsize businesses harder because of the popularity of BYOD in companies with smaller budgets and IT staffs.

Up until now, most company’s BYOD security policies have focused on lost devices, password protection and the use of public Wi-Fi when transmitting sensitive data. Even policies that include the installation of anti-malware software to the device do not completely address the mobile malware problem, according to the IBM-operated technology news website PivotPoint.

A number of developers are working hard to devise new apps that detect malware threats, but some of them are not ready for prime time. And also, because the amount of new malware continues to grow, it will be difficult for app developers to keep up and catch everything.

Here are some tips for your BYOD policy, care of Information Age magazine:

No unauthorized downloads – It should warn against downloading apps from unauthorized sources. Unfortunately, this can’t guard against malware that is embedded into mobile sites or distributed through e-mails and text messages. That’s because mobile devices don’t have the same set of malware checks that a desktop computer has, such as verifying a link or attachment.

Use with care – Inform your BYOD users that they need to be more cognizant of their online behavior. You will need to be creative in how you educate your employees about the risks of mobile malware.

Keep a register of connected devices – As the IT team connects personal devices to the company network, they should also keep a record of the user and their device details. By maintaining a detailed register, companies can audit their company network regularly to detect unauthorized connections and resource usage.

Enforce on-device security – All smart phones and tablets come with passcode controls that restrict access. As part of an employer’s default BYOD agreement, staff should be expected to have the passcode enabled before they are granted access to corporate resources.

Use existing network tools more intelligently – Many common network tools and services have functions that make it easier to manage mobile devices. Microsoft Exchange can be used to perform remote data wipes on stolen devices, for example. Companies can make full use of these tools to automate common mobile device management tasks and to manage network logons, for instance.

Force VPN use – All devices now support VPN connectivity in the same way that laptops do. To ensure that data transferred to and from devices is secure in transit, make VPN set-up one of the initial tasks to carry out when adding a new device.

Mobile device management (MDM) platform – For the best security, you may want to consider an MDM system. This platform allows you to enroll devices, specify and enforce network access rights and even apply content filtering to keep staff focused on work-related activities.

Insurance

Finally, your firm should look into cyber liability insurance that can cover costs related to a cyber breach.